The control system at the launch site has gradually started providing unattended autonomous control during the flight mission. The autonomous control system is very important to autonomous control for ground facilities and equipment in space launch. Even if the autonomous control system has been tested, there is still no very effective method to ensure the trusted operation of the autonomous system. We propose a strategy for the trusted operation and verification of autonomous control system. Based on the state transition model of the control system, the trust verification of autonomous control system ensures the trusted operation of autonomous control. This verification is set up in the intelligent support system of the host computer, which makes lightweight for verification calculation in the control system. Trust verification strategy is the trusted stamp and the verification protocol. The state transferring of each module inside each controller is stamped by the stamping module embedded in PLC. The control output set includes the state stamps and is sent to the intelligent support system. The control verification module of the intelligent support system verifies the correction of autonomous control. The trusted state transferring is used to ensure the credibility of the autonomous operation. The paper analyzes the strategy’s security under environmental impact as well as independent and joint attack. The strategy is applied to a prototype system. It illustrates the feasibility of the strategy at launch site.

Keywords: launch site, autonomous control system, trust verification, trusted stamp, verification protocol

At present, the autonomous control of the control system is more and more widely used in the ground facilities of the launch site. Programmable Logic Controller is a kind of embedded system in the autonomous control system. The controller’s trusted operation is vital to this kind of safety-critical applications, especially in space launch missions. Conceptually, the trusted goal of the control system is to propose a running entity that can perform a special action surpassed the preset security rules, and how to verify the entity. Therefore, we need to first ensure that the software and hardware systems can be quantified and verified by calculation. The critical core of a trusted system is trusted computing. At present, the trusted control system platform is mainly considered the security issues from the perspective of security architecture. The security of the user’s operating environment is ensured by the passive defense (i.e. security patching). We are committed to ensuring trusted operation and verifiability for autonomous control systems at the space launch sites. The paper analyzes the state change and transmitting of the control system, and proposes a trust verification strategy for the autonomous control system in launch site. Based on the proposed strategy, the security mechanism and the processes are set up by the critical elements for verifying the trusted autonomous operation. Once the trusted problem is verified, the problem is submitted to the fault handling module to analyze and deal with the autonomous control system. So the strategy ensures the operation reliability and security of the whole autonomous control system.

Control system architecture

The control objects of the ground facilities and the equipment control system at the launch site include pendulum bars, launch tower platforms, propellant refueling stations, gas supplies, air conditioners, fire protection devices, cranes, aim windows, gas alarms, moving towers, etc. A general control system for the launch site can be described by a state-transfer model.^1,2

The control system receives and processes the various sensor signals from the controlled devices. These sensor signals (Sig_sen) include analog signals (AI) and digital signals (DI), e.g., the signals from coders (Cod), location detectors (Loc), operation inductors (Opt), and moving sensors (Mov). They are converted and stored in the data input port (PI) by analog-to-digital (A/D) and digital-to-analog (D/A) convertors. The sensor signal set is

Sig_sen = {AI_Cod, AI_Loc, AI_Opt, AI_Mov…, DI_Cod, DI_Loc, DI_Opt, DI_Mov…}; PI⊆ Sig_sen.

According to the control logic, initial configuration, task, and interrupt, the control program processes and responds to the port data. Then, it updates the system configuration (V) and provides the corresponding control data to the data output port. After A/D or D/A conversion, the control data are converted to analog signals or digital drive ones (AO or DO) for moving the drive mechanisms such as relays, valves, transmissions, etc. Finally, real-time control is achieved, i.e.,

Sig_drv = {AO_Rly, AOV_alv, AO_Trans, …, DO_Rly, DO_Valv, DO_Trans,…}; PO⊆ Sig_drv.

The control system is constructed using components shown in Figure 1. The figure describes the work pattern and system model of the control system. A control system can be composed of multiple controllers, and the controller’s system features are decided by {PI, V, PO}, i.e., the controller’s action is controlled by its input, output, and configuration.³

The control system at the launch site has gradually started providing unattended autonomous control during the flight mission. The control system for ground equipment plays an important role in ensuring accurate and reliable control of each system, and in completing the test preparation, propellant refueling, and launching. Because of the limited resources of the field control systems, verifying the accuracy of autonomous control is not completely possible, which may result in security risks.

Intelligent support must make system-performance forecasts when the critical equipment control performance has changed. It must have simple and convenient maintenance procedures and must ensure and must ensure that the system is always in a good condition. In the event of a sudden control fault, it must make a rapid and accurate diagnosis, and based on the location, provide countermeasures on how to handle the situation appropriately. It must maintain control safety and reliability during the mission. These requirements can be met by constructing an intelligent support architecture with remote monitoring, control verification, fault diagnosis, and prediction. Intelligent support needs to provide work capabilities under multi-mission and multi-field scenarios. The designed remote intelligent support architecture for the ground equipment at the launch site is shown in Figure 2. The architecture is divided into two levels: field level and launch-site level.

Figure 1 Work pattern and system model of control system.

Figure 2 Remote intelligent support architecture.

Field level

The control system for ground equipment is distributed at the launch site. Usually, the control system completes the control tasks independently, according to the task flow. Operators can operate the system through close control. In the case of intelligent autonomous control, the field will consume more computing resources. Field verification of whether autonomous control is correct or not requires the deployment of additional resources. These will cause field-resource strains and inconveniences in terms of the control equipment layout and maintenance. Field control systems become more complex. Therefore, the front-end of the automatic control system is set up to be lightweight, to simplify the field control system.

Launch-site level

This level is located at the command center of the launch site. Control verification verifies whether the front

Autonomous control is operating correctly or not. In the case of faults, the fault-diagnosis system automatically performs the diagnosis. Operators, technicians, and supervisors monitor the performance state of ground equipment in real-time, who can maintain system equipment and control programs. The level performs remote control in the case of abnormal situations and coordinates with remote experts for technical support and guidance. The hierarchical remote intelligent support system is briefly described as follows:

1. The field level performs autonomous control.
2. The launch-site level is for autonomous control verification and fault diagnosis.
3. The long-range level provides intelligent technical support for front-end autonomous control faults and maintenance.

The intelligent support processes involved in the control task are shown in Figure 3. The architecture key is control verification.

Figure 3 Intelligent support processes in control task.

Trusted research of control system

Now, there are a few related papers and reports about the trusted research of control system. The research of the related trusted system is mainly focused on the network, trusted computing and related software and hardware.^4‒11 For the trusted guarantee of the complex software system under the network environment, the main researchers are that establishing a new software technology hierarchy. In order to adopt the hierarchy transformation, they study software object, quality target, construction method, and operation support. The quality model of internet ware is established with the quality core. The trusted technology system is constructed by quality assurance. In the research and development of trusted computing, some scholars believe that trusted computing cannot solve all information security problems. Trusted computing technology is combined with other information security technologies in the trusted computing field. They hope that they effectively solve information security problems.

In the research of software trusted evolution management, it is considered that the nature of trusted evolution is a software modification process driven by user expectation deviation. It makes that the software system is gradually from a simple to complex and from the preliminary use to mature and credible process. In the evolution view, it studies how to improve the convergence speed and effect of software trusted evolution.

The researchers on the architecture and key technologies of trusted networks propose a possible control model for evaluating the enabling technologies of trusted networks. They analyze the credibility of the user behavior in the network access process corresponding to the control rights model. In the progress of trusted computing technology hardware, the software on the computing platform is measured by enhancing the hardware architecture of the existing open platform. The software on the platform can be ensured to operate as expected. In the control system field, the technical features of the trusted control system are integrated existing defensive measures. The researchers utilize the linkage mechanism between the inside firewall of control systems, the intrusion detection system and the trusted connection server. It can improve the overall defense and security capability of control systems,^12,13 but it doesn’t have the trusted verification and cannot ensure the trusted operation.

The credible risks are very high in actual applications at the aerospace launch site. For example, the control system of propellant injection is a typical system. It requires monitoring of temperature, pressure, and flow velocity, valve opening size, etc. It involves each valve action sequences and time as well as pipeline pressures while controlling valve opening or opening size. If the control information is incorrect, the propellant injection system may cause leakage or tube burst and freezing. Its consequences are catastrophic. Certainly, measures have generally been taken for these keys in the control system. Some have adopted redundant or hot backup methods. Some have added monitoring points and fault handling software. Others are strict with the test inspection and control the identity of software users. But there is no trusted verification in control system, whether the state transmission can be trusted exists the risk on the information source and host as well as terminal. Therefore, the untrusted verified system exists risks on safe and reliable. Trusted computing or credibility verification has become the main issue in the field of information security. However, correlated trusted research lags behind the application needs in actual control systems. It still lacks typical solutions.

Trusted Elements in Control System

Based on the control system model,³ ensuring the trusted state transferring in the controller is the key to ensure the credibility of the autonomous operation.

Set M = < V, v₀, PI, PO, R_PI, PM>, where V is the finite-state set of nonempty configurations inside the controller, PI is the finite set of non-empty inputs, PO is the finite set of nonempty outputs, and R_PI is the mapping set of an input subset. v₀⊆V, where v₀ is the initial state of the control program.

R_PI ⊂ β(PI) ∈{r_i}, (i = 1,2,…), where β is the transform function set of confirmed generalized verification. β filters an input subset that is effective in handling state transform. r_i is a subset of PI. PM describes the incomplete mapping of the control program.

PM(a, b): β(V) × β(PO) × R_PI → β(V) × β(PO), where a ∈ β(V)×β(PO), b ∈ R_PI. v₀ ∈ β(V)×β(PO).

There are n states inside a controller. Each state transform is decided by M. M is constructed by {M₁, M₂,…M_L} inner states. It includes multiple states transferring labeled as φ_i (i=1,2,…n). Each M₁ may have several φ_i. Likewise, the state transformations combined multiple controllers is the same as individual controller inner states. The controller is abstracted by its operation states from the configuration of a controller, e.g. it is showed in Figure 4. So the trusted elements of the controller include input/output interface, configuration transformation, state transferring and programmable components. The network interface is outside the scope of the controller. We embed trusted verification computation in the controller to verify each input/output and state transfer.

The model M of the example consists of four submodule M_i (i=1,2,3,4). φ={φ₁, φ₂, φ₃, φ₄}is the verified property, which φ_i (i=1,2,…4) is the state transferring property from the input set to output set. It needs to ensure that the transferring property is trusted from input to output. A group of submodule M_i transforms configuration according to transferring path. We utilize the principle of digital signatures based on Schnorr protocol.¹⁴ The module members are marked particular stamps for output and verified stamps for input.

Figure 4 State transferring diagram of controller.

φ₁, φ₂, …φ_n are defined as n state transferring to a controller.

Generates a key pair

To choose two large prime p and q, q is the prime factor of p-1. According to Schnorr’s suggestion, it is chosen q≥2¹⁴⁰ and p≥2⁵¹², and then the primitive a (a≠1) of rank q is chosen in GF(p) and satisfies a^q ≡1 mod p.¹⁴ The one-way hash function HASH is chosen and makes function h→{0,1,…2^t-1}. These numbers and the function are promulgated and shared by all state members M_j (j=1,2…L).

Each φ_i chooses the private key K_i which is defined as a random number less than q on GF(q). The public key is

U_i=a^-Ki mod p (i=1,2,…n)                   (1)

Generates state stamp

Assumed that T is the scan period of a response in the controller, state transferring has the performance time T_i

(i=1,2,…n), where T=T₁+T₂+ … +T_n. The designed scan period should be abided, or else the design and T_i reset. T and T_i are the time mark of the system given to every member states. It requires that the submodule should finish their work and state transferring at the given times. When state stamp being calculated, the system automatically gets corresponding system unify-time for consistency. Every time T_i exists the differences in precise time because of different performances. The process of state stamp is designed as below that n states transferring to result f.

First, defined x₀= a^T (mod p). φ_i has choose the random number d_i on GF(q). Calculating

x_i= x_i-1 • a^-Ti • a^di (mod p) ,                   (2)

and x_i is sent to the sub module M_j (j=1,2,…L) related φ_i. When j=L, M_L send x_n to PO.

Then assuming y₀=0 and calculating is processed

e=h(x_n, f),

y_i= y_i-1+(d_i+K_ie) (mod q) (i=1,2,…n) ,                (3)

Finally, {f, e, y_n} is sent to PO and verified. {f, e, y_n} is the group state stamp of the result f signed by the state

transferring φ₁, φ₂,…, φ_n in the controller.

Verifying state stamp

The PO receives the group state stamp {f, e, y_n}, and then verifies the whole stamp with the public key U_i of the state transferring. Calculating

${x^{\prime }}_n=a^{y_n}{\left({\displaystyle {\prod }_{i=1}^n{U}_i}\right)}^e\left(\mathrm{mod} p\right)$ (4)

then further verifying e=h(x_n’, f) whether or not comes into existence. If the verification equation comes into existence, the output is confirmed that the result is valid and can process the next performance. If the verification fails, the control system refuses the result.

The equation showed below is proved the validity of the state stamp scheme. Because it is based on (3) and (1), it has

${x^{\prime }}_n=a^{y_n}{\left({\displaystyle {\prod }_{i=1}^n{U}_i}\right)}^e\left(\mathrm{mod}p\right)=a^{y_{n-1}+\left(d_n+k_{n}e\right)\left(\mathrm{mod}q\right)}\cdot {\left({\displaystyle {\prod }_{i=1}^{n-1}{U}_i}\right)}^e\cdot {\left(U_n\right)}^e\left(\mathrm{mod}p\right)$

$=a^{y_{n-1}}\cdot a^{\left(d_n+k_{n}e\right)\left(\mathrm{mod}q\right)}\cdot {\left({\displaystyle {\prod }_{i=1}^{n-1}{U}_i}\right)}^e\cdot {\left(a^{-k_n}\right)}^e\left(\mathrm{mod}p\right)=a^{y_{n-1}}\cdot {\left({\displaystyle {\prod }_{i=1}^{n-1}{U}_i}\right)}^e\cdot {\left(a^{r_n}\right)}^e\left(\mathrm{mod}p\right)$

It can be obtained the below equation on the analogy of (3).

${x^{\prime }}_n=a^{d_n}\cdot a^{d_{n-1}}\mathrm{....}{a}^{d_1}\left(\mathrm{mod}p\right)$

Due to (2) and initial condition x₀, the equation is

$\begin{array}{l}{x^{\prime }}_n=\left[x_n/\left(x_{n-1}{a}^{-Tn}\right)\right]\left[x_{n-1}/\left(x_{n-2}{a}^{-Tn-1}\right)\right]\mathrm{.....}\left[x_1/\left(x_0{a}^{-T1}\right)\right]\left(\mathrm{mod}p\right)\\ =x_n/\left(x_0{a}^{-Tn-Tn-1-\mathrm{.....}-T1}\right)\left(\mathrm{mod}p\right)=x_n\left(\mathrm{mod}p\right)\end{array}$

So e= h(x_n, f)= h(x_n^’, f) is verified.

During the state stamp, every state transferring φ_i apply the below equation to verify the validity of the stamp y_i-1.

${x^{\prime }}_{i-1}=a^{T-T_1-T_2\mathrm{.....}{T}_{i-1}}\cdot a^{y_{i-1}}{\left({\displaystyle {\prod }_{j=1}^{i-1}{U}_j}\right)}^e\left(\mathrm{mod}p\right)\left(i=2,3,\mathrm{...}n\right)$ (5)

The validation is to judge whether or not x_i-1’ = x_i-1 comes into existence. In fact (4) is a special example of (5). Similarly, the validation can be capable of proof.

${x^{\prime }}_{i-1}=a^{T-T_1-T_2\mathrm{.....}{T}_{i-1}}\cdot a^{y_{i-1}}{\left({\displaystyle {\prod }_{j=1}^{i-1}{U}_j}\right)}^e\left(\mathrm{mod}p\right)=a^{T-T_1-T_2\mathrm{.....}{T}_{i-1}}\cdot a^{r_{i-1}}\cdot a^{r_{i-2}}\mathrm{....}\cdot a^{r_1}=x_{i-1}$

During the state stamp, the verification is considered that the group state stamp mentioned above is correct.

Because a majority of calculation needed to produce a stamp can be finished in the phase of pretreatment and be

independent of massages that are ready to be stamped, the calculation can be processed in idles and not influence the stamping speed. For the same level of security, the stamp length based on Schnorr protocol is much shorter than other signature protocol.¹⁴ The security of the signature and authentication scheme is founded on the computational difficulty of the discrete logarithm. There is randomness influence on trusted operation caused by environment or components performance. Because of state stamping, it is easy to verify these trusted problems during system operation. It will not cause a particular trusted problem. However, intentional attack on the controller is the biggest risk of the trusted operation. The following analysis of the protocol is faced with trusted operation security under attack.

The security of exterior independence attack

The security of every single stamp is the same as the Schnorr’s.¹⁵ The attack on group stamp has the modes mentioned below. Under the mode a), b), c), d) and e) the computational difficulty is the equivalence of calculating discrete logarithm on GF(p).

1. Anyone can obtain the value p, a and U_i. Someone tries to obtain K_i from U_i=a^-Ki mod p. It is impossible to obtain the private key K_i that the attacker is directly started with generating the key.
2. Someone tries to obtain K_i or random number d_i by U_i, x_i, and y_i.
3. Someone tries to obtain K_i or random number d_i by the public information {f, e , y_n} or {f, e, y} and the verification equation (5).
4. An attacker may try to choose randomly an integer K_i’ and then solve d_i by the equation of calculating y_i.
5. The attacker has known x₀, x₁,… x_i and tries to solve y_i or has also known y_i to solve d_i which are met the equation

$x_i=a^{T-T_1-T_2\mathrm{....}{T}_{i-1}}\cdot a^{y_i}({{\displaystyle {\prod }_{j=1}^i\left(U_j\right)}}^e\left(\mathrm{mod} p\right)$ ,

who wants to make the whole group stamp met the verification equation by use of calculating a part of group stamps.

An attacker may try to personate or change φ_i under the condition of unknowing K_i. The method is that the history information of the stamping process is collected and then the current stamp information is calculated or personated by the history information. Because the time mark T_i is added to the scheme and different every time, it is different from history and current information. It means that x_i of the same φ_i is different every time and e is different too. The history stamp y_i cannot be utilized.

Analyzing the security of united attack

The united attack is that the obtained some stamps are united to solve other stamps of module group. It is not repeated here to the analysis of security similar exterior independence attack. If a part of stamps is united to forge one or several stamps, they need one or several K_i. The condition is impossible as above. If k stamps are united to forge h stamps of φ_i (k+h≤n) and make the group stamp valid to the verification during the state stamping, the verification equation needs to be met. They also face the computational problem of the discrete

logarithm. The replace attack is a kind of forging attack that has much dangerous. Because the security of φ_i’s stamp is the equivalence of Schnorr’s protocol, the replace attack is invalidated in the scheme of the paper.

It can be summed up the discussion that it is secure to the group stamp based on the computational difficulty of the discrete logarithm. According to the conclusion proved by the theory of computational complexity, 2^t is the difficulty of breaking the protocol (the probability is 2^-t, and Schnorr suggested t≥72).^14,16 The attacker can calculate for several years to forge a stamp.^14,15,17 But time mark is added into the scheme and enhanced the capability of anti-attack. In the state stamp, every module verifies the previous stamp and then stamping after the verification is correct. So the capability of anti-attack is enhanced further.

We have built a prototype system to verify the operation of the protocol. A desk computer connects the controller with the interface of input/output and optical network. The control verification system is carried out on a computer, Intel® Core™ i3 M530 Processor, 2.53GHz, 4GB RAM. The system generates a key pair and sent to package in PI. The verification algorithm modules receive the PO packages and perform the verification on the computer. The controller is chosen ZC-300 PLC based on LOONGSON 1A.¹⁸ The state stamping calculation is embedded in the PLC. The computer sends out input driving at the input port of the controller. Each state transferring of the controller is stamped on the controller. Finally, the computer accepts the output result and the verification module verifies the stamps. For accumulative total about 10000 state transferring, the calculating speed of the stamping and the verification is at most the microsecond order of magnitude or faster. The millisecond-level control is enough to deal with at launch sites. With the controller performance improvement, the application of this protocol has a larger capacity. The research identifies the elements of a trusted autonomous operation based on the control system model in the paper.

The key to the elements is the credibility of the state transferring. We create a guarantee mechanism for trusted operation on the autonomous control system and design the trusted stamp and the verification protocol. By constructing the control system model, the trusted state migration is determined by the model. We design to ensure the trustworthiness of the state migration, so as to obtain the credibility of the autonomous system. The trusted state transferring ensures the autonomous system trusted operation. In the next step, the actual algorithm of state stamp and verification will be optimized. Although theoretical and prototype system is feasible, there are still many issues to be studied in engineering applications.

This work was funded by the project of General Technology on Test and Launch partially sponsored by the 973 program. We would like to thank Tsinghua’s Prof. Yu Liu who provided us with helpful suggestions and some research resources in the research.

Authors declare that there is no conflict of interest.

1. Xiao LT, et al. System Architecture and Construction Approach for Intelligent Space Launch Site. Advances in Intelligent Systems and Computing. 2019;856:397‒404.
2. Xiao LT, Xiao N, Mengyuan L, et al. Intelligent Architecture and Hybrid Model of Ground and Launch System for Advanced Launch Site. IEEE Aerospace; 2019.
3. Xiao LT, Li MY, Ming G, et al. PLC programs' checking method and strategy based on module state transfer. IEEE Int Conf Information and Automation; 2015. 702–706 p.
4. Wang J, Shi Y, Peng G, et al. Survey on Key Technology Development and Application in Trusted Computing. China Communication. 2016;13(11):70‒90.
5. Yudhi Biantoro, Ian Joseph ME. A literature review of service computing system trust. 2017 International Conference on Information Technology Systems and Innovation (ICITSI); 2017. 361‒366 p.
6. Hiltunen J, Kuusijarvi J. Trust Metrics Based on a Trusted Network Element. 2015 IEEE Trustcom/BigDataSE/ISPA; 2015. 19‒35 p.
7. Michael JB. Trusted Computing: An Elusive Goal. Computer. 2015;48(3):99‒101.
8. Zhexiong W, Yu RF, Tang H, et al. Securing cognitive radio vehicular Ad hoc networks with trusted lightweight cloud computing. 2016 IEEE Conference on Communications and Network Security; 2016. 1‒10 p.
9. Noorman J, Agten P, Daniels W, et al. Sancus: low-cost trustworthy extensible networked devices with a zero-software trusted computing base. Usenix Conference on Security; 2013. 479‒494 p.
10. Maene P, Gotzfried J, Clercq R, et al. Hardware-Based Trusted Computing Architectures for Isolation and Attestation. IEEE Transactions on Computers. 2018;67(3):361‒374.
11. Rauter T, Höller A, Iber J, et al. Thingtegrity: A Scalable Trusted Computing Architecture for Resource Constrained Devices. International Conference on Embedded Wireless System & Networks; 2016. 23‒34 p.
12. Morris T, Vaughn R, Dandass Y, et al. A retrofit network intrusion detection system for modbus RTU and ASCII industrial control systems. IEEE 45th Hawaii International Conference on System Sciences: Piscataway, NJ; 2012. 2338‒2345 p.
13. Knowles W, Prince D, Hutchison D, et al. A survey of cyber security management in industrial control systems. International Journal of Critical Infrastructure Protection. 2015;9:52‒80.
14. Schnorr CP. Efficient Signature Generation for Smart Card. Journal of Cryptology. 1991;4(3):161‒174.
15. Hwang SJ, Hwang MS, Tzeng F. A New Digital Multi-signature Scheme with Distinguished Signing Authorities. Journal of Information Science & Engineering. 2010;19(5):881‒887.
16. Tahat N, Mustafa Z, Alomari AK. New ID-based digital signature scheme on factoring and discrete logarithms. Applied Mathematical Sciences. 2012;6(25-28):1363‒1369.
17. Tuan HD, Nguyen HM, Tran CM, et al. Integrating Multi-signature Scheme into the Group Signature Protocol. International Conference on Advances in Information & Communication Technology; 2016. 294‒301 p.
18. http://www.loongson.cn/product/cpu/1/Loongson1A.html